pe

package
v0.0.0-...-f2b8415 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 20, 2024 License: BSD-3-Clause Imports: 15 Imported by: 0

Documentation

Overview

Package pe provides facilities for extracting information from PE binaries. It only supports the same CPU architectures as the rest of wingoes.

Index

Constants

View Source 
const (
	IMAGE_DIRECTORY_ENTRY_EXPORT         = DataDirectoryIndex(dpe.IMAGE_DIRECTORY_ENTRY_EXPORT)
	IMAGE_DIRECTORY_ENTRY_IMPORT         = DataDirectoryIndex(dpe.IMAGE_DIRECTORY_ENTRY_IMPORT)
	IMAGE_DIRECTORY_ENTRY_RESOURCE       = DataDirectoryIndex(dpe.IMAGE_DIRECTORY_ENTRY_RESOURCE)
	IMAGE_DIRECTORY_ENTRY_EXCEPTION      = DataDirectoryIndex(dpe.IMAGE_DIRECTORY_ENTRY_EXCEPTION)
	IMAGE_DIRECTORY_ENTRY_SECURITY       = DataDirectoryIndex(dpe.IMAGE_DIRECTORY_ENTRY_SECURITY)
	IMAGE_DIRECTORY_ENTRY_BASERELOC      = DataDirectoryIndex(dpe.IMAGE_DIRECTORY_ENTRY_BASERELOC)
	IMAGE_DIRECTORY_ENTRY_DEBUG          = DataDirectoryIndex(dpe.IMAGE_DIRECTORY_ENTRY_DEBUG)
	IMAGE_DIRECTORY_ENTRY_ARCHITECTURE   = DataDirectoryIndex(dpe.IMAGE_DIRECTORY_ENTRY_ARCHITECTURE)
	IMAGE_DIRECTORY_ENTRY_GLOBALPTR      = DataDirectoryIndex(dpe.IMAGE_DIRECTORY_ENTRY_GLOBALPTR)
	IMAGE_DIRECTORY_ENTRY_TLS            = DataDirectoryIndex(dpe.IMAGE_DIRECTORY_ENTRY_TLS)
	IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG    = DataDirectoryIndex(dpe.IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG)
	IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT   = DataDirectoryIndex(dpe.IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT)
	IMAGE_DIRECTORY_ENTRY_IAT            = DataDirectoryIndex(dpe.IMAGE_DIRECTORY_ENTRY_IAT)
	IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT   = DataDirectoryIndex(dpe.IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT)
	IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR = DataDirectoryIndex(dpe.IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR)
)

Variables

View Source 
var (
	// ErrBadLength is returned when the actual length of a data field in the
	// binary is shorter than the expected length of that field.
	ErrBadLength = errors.New("effective length did not match expected length")
	// ErrBadCodeView is returned by (*PEHeaders).ExtractCodeViewInfo if the data
	// at the requested address does not appear to contain valid CodeView information.
	ErrBadCodeView = errors.New("invalid CodeView debug info")
	// ErrIndexOutOfRange is returned by (*PEHeaders).DataDirectoryEntry if the
	// specified index is greater than the maximum allowable index.
	ErrIndexOutOfRange = errors.New("index out of range")
	// ErrInvalidBinary is returned whenever the headers do not parse as expected,
	// or reference locations outside the bounds of the PE file or module.
	// The headers might be corrupt, malicious, or have been tampered with.
	ErrInvalidBinary = errors.New("invalid PE binary")
	// ErrBadCodeView is returned by (*PEHeaders).ExtractCodeViewInfo if the data
	// at the requested address contains a non-CodeView debug info format.
	ErrNotCodeView = errors.New("debug info is not CodeView")
	// ErrIndexOutOfRange is returned by (*PEHeaders).DataDirectoryEntry if the
	// corresponding entry is not populated in the PE image.
	ErrNotPresent = errors.New("not present in this PE image")
	// ErrResolvingFileRVA is returned when the result of arithmetic on a relative
	// virtual address did not resolve to a valid RVA.
	ErrResolvingFileRVA = errors.New("could not resolve file RVA")
	// ErrUnavailableInModule is returned when requesting data from the binary
	// that is not mapped into memory when loaded. The information must be
	// loaded from a file-based PEHeaders.
	ErrUnavailableInModule = errors.New("this information is unavailable from loaded modules; the PE file itself must be examined")
	// ErrUnsupportedMachine is returned if the binary's CPU architecture is
	// unsupported. This package currently implements support for x86, amd64,
	// and arm64.
	ErrUnsupportedMachine = errors.New("unsupported machine")
)

Functions

This section is empty.

Types

type AuthenticodeCert 

type AuthenticodeCert struct {
	// contains filtered or unexported fields
}

AuthenticodeCert represents an authenticode signature that has been extracted from a signed PE binary but not fully parsed.

func (*AuthenticodeCert) Data 

func (ac *AuthenticodeCert) Data() []byte

Data returns the raw bytes of ac's cert.

func (*AuthenticodeCert) Revision 

func (ac *AuthenticodeCert) Revision() WIN_CERT_REVISION

Revision returns the revision of ac.

func (*AuthenticodeCert) Type 

func (ac *AuthenticodeCert) Type() WIN_CERT_TYPE

Type returns the type of ac.

type DataDirectoryEntry 

type DataDirectoryEntry = dpe.DataDirectory

DataDirectoryEntry is a PE/COFF IMAGE_DATA_DIRECTORY structure.

type DataDirectoryIndex 

type DataDirectoryIndex int

DataDirectoryIndex is an enumeration specifying a particular entry in the data directory.

type FileHeader 

type FileHeader dpe.FileHeader

FileHeader is the PE/COFF IMAGE_FILE_HEADER structure.

type IMAGE_DEBUG_DIRECTORY 

type IMAGE_DEBUG_DIRECTORY struct {
	Characteristics  uint32
	TimeDateStamp    uint32
	MajorVersion     uint16
	MinorVersion     uint16
	Type             IMAGE_DEBUG_TYPE
	SizeOfData       uint32
	AddressOfRawData uint32
	PointerToRawData uint32
}

IMAGE_DEBUG_DIRECTORY describes debug information embedded in the binary.

type IMAGE_DEBUG_INFO_CODEVIEW_UNPACKED 

type IMAGE_DEBUG_INFO_CODEVIEW_UNPACKED struct {
	GUID    wingoes.GUID
	Age     uint32
	PDBPath string
}

IMAGE_DEBUG_INFO_CODEVIEW_UNPACKED contains CodeView debug information embedded in the PE file. Note that this structure's ABI does not match its C counterpart because the former uses a Go string and the latter is packed and also includes a signature field.

func (*IMAGE_DEBUG_INFO_CODEVIEW_UNPACKED) String 

func (u *IMAGE_DEBUG_INFO_CODEVIEW_UNPACKED) String() string

String returns the data from u formatted in the same way that Microsoft debugging tools and symbol servers use to identify PDB files corresponding to a specific binary.

type IMAGE_DEBUG_TYPE 

type IMAGE_DEBUG_TYPE uint32

IMAGE_DEBUG_TYPE is an enumeration for indicating the type of debug information referenced by a particular IMAGE_DEBUG_DIRECTORY. 

const (
	IMAGE_DEBUG_TYPE_UNKNOWN               IMAGE_DEBUG_TYPE = 0
	IMAGE_DEBUG_TYPE_COFF                  IMAGE_DEBUG_TYPE = 1
	IMAGE_DEBUG_TYPE_CODEVIEW              IMAGE_DEBUG_TYPE = 2
	IMAGE_DEBUG_TYPE_FPO                   IMAGE_DEBUG_TYPE = 3
	IMAGE_DEBUG_TYPE_MISC                  IMAGE_DEBUG_TYPE = 4
	IMAGE_DEBUG_TYPE_EXCEPTION             IMAGE_DEBUG_TYPE = 5
	IMAGE_DEBUG_TYPE_FIXUP                 IMAGE_DEBUG_TYPE = 6
	IMAGE_DEBUG_TYPE_OMAP_TO_SRC           IMAGE_DEBUG_TYPE = 7
	IMAGE_DEBUG_TYPE_OMAP_FROM_SRC         IMAGE_DEBUG_TYPE = 8
	IMAGE_DEBUG_TYPE_BORLAND               IMAGE_DEBUG_TYPE = 9
	IMAGE_DEBUG_TYPE_RESERVED10            IMAGE_DEBUG_TYPE = 10
	IMAGE_DEBUG_TYPE_BBT                   IMAGE_DEBUG_TYPE = IMAGE_DEBUG_TYPE_RESERVED10
	IMAGE_DEBUG_TYPE_CLSID                 IMAGE_DEBUG_TYPE = 11
	IMAGE_DEBUG_TYPE_VC_FEATURE            IMAGE_DEBUG_TYPE = 12
	IMAGE_DEBUG_TYPE_POGO                  IMAGE_DEBUG_TYPE = 13
	IMAGE_DEBUG_TYPE_ILTCG                 IMAGE_DEBUG_TYPE = 14
	IMAGE_DEBUG_TYPE_MPX                   IMAGE_DEBUG_TYPE = 15
	IMAGE_DEBUG_TYPE_REPRO                 IMAGE_DEBUG_TYPE = 16
	IMAGE_DEBUG_TYPE_SPGO                  IMAGE_DEBUG_TYPE = 18
	IMAGE_DEBUG_TYPE_EX_DLLCHARACTERISTICS IMAGE_DEBUG_TYPE = 20
)

type OptionalHeader 

type OptionalHeader interface {
	GetMagic() uint16
	GetLinkerVersion() (major, minor uint8)
	GetSizeOfCode() uint32
	GetSizeOfInitializedData() uint32
	GetSizeOfUninitializedData() uint32
	GetAddressOfEntryPoint() uint32
	GetBaseOfCode() uint32
	GetImageBase() uint64
	GetSectionAlignment() uint32
	GetFileAlignment() uint32
	GetOperatingSystemVersion() (major, minor uint16)
	GetImageVersion() (major, minor uint16)
	GetSubsystemVersion() (major, minor uint16)
	GetWin32Version() uint32
	GetSizeOfImage() uint32
	GetSizeOfHeaders() uint32
	GetCheckSum() uint32
	GetSubsystem() uint16
	GetDllCharacteristics() uint16
	GetSizeOfStackReserve() uint64
	GetSizeOfStackCommit() uint64
	GetSizeOfHeapReserve() uint64
	GetSizeOfHeapCommit() uint64
	GetLoaderFlags() uint32
	GetDataDirectory() []DataDirectoryEntry

	SizeOf() uint16 // Size of the underlying struct, in bytes
}

OptionalHeader provides the fields of a PE/COFF optional header. Since the underlying format differs depending on whether the PE binary is 32-bit or 64-bit, this type provides a unified interface.

type PEHeaders 

type PEHeaders struct {
	// contains filtered or unexported fields
}

PEHeaders represents the partially-parsed headers from a PE binary.

func NewPEFromFileName 

func NewPEFromFileName(filename string) (*PEHeaders, error)

NewPEFromFileName opens a PE binary located at filename and parses its PE headers. Upon success it returns a non-nil *PEHeaders, otherwise it returns a nil *PEHeaders and a non-nil error. Call Close() on the returned *PEHeaders when it is no longer needed.

func (*PEHeaders) Close 

func (peh *PEHeaders) Close() error

Close frees any resources that were opened when peh was created.

func (*PEHeaders) DataDirectoryEntry 

func (nfo *PEHeaders) DataDirectoryEntry(idx DataDirectoryIndex) (any, error)

DataDirectoryEntry returns information from nfo's data directory at index idx. The type of the return value depends on the value of idx. Most values for idx currently return the DataDirectoryEntry itself, however it will return more sophisticated information for the following values of idx:

* IMAGE_DIRECTORY_ENTRY_SECURITY returns []AuthenticodeCert * IMAGE_DIRECTORY_ENTRY_DEBUG returns []IMAGE_DEBUG_DIRECTORY

Note that other idx values _will_ be modified in the future to support more sophisticated return values, so be careful to structure your type assertions accordingly.

func (*PEHeaders) ExtractCodeViewInfo 

func (nfo *PEHeaders) ExtractCodeViewInfo(de IMAGE_DEBUG_DIRECTORY) (*IMAGE_DEBUG_INFO_CODEVIEW_UNPACKED, error)

ExtractCodeViewInfo obtains CodeView debug information from de, assuming that de represents CodeView debug info.

func (*PEHeaders) FileHeader 

func (peh *PEHeaders) FileHeader() *FileHeader

FileHeader returns the FileHeader that was parsed from peh.

func (*PEHeaders) OptionalHeader 

func (peh *PEHeaders) OptionalHeader() OptionalHeader

FileHeader returns the OptionalHeader that was parsed from peh.

func (*PEHeaders) Sections 

func (peh *PEHeaders) Sections() []SectionHeader

Sections returns a slice containing all section headers parsed from peh.

type SectionHeader 

type SectionHeader dpe.SectionHeader32

SectionHeader is the PE/COFF IMAGE_SECTION_HEADER structure.

func (*SectionHeader) NameString 

func (s *SectionHeader) NameString() string

NameString returns the name of s as a Go string.

type WIN_CERT_REVISION 

type WIN_CERT_REVISION uint16

WIN_CERT_REVISION is an enumeration from the Windows SDK. 

const (
	WIN_CERT_REVISION_1_0 WIN_CERT_REVISION = 0x0100
	WIN_CERT_REVISION_2_0 WIN_CERT_REVISION = 0x0200
)

type WIN_CERT_TYPE 

type WIN_CERT_TYPE uint16

WIN_CERT_TYPE is an enumeration from the Windows SDK. 

const (
	WIN_CERT_TYPE_X509             WIN_CERT_TYPE = 0x0001
	WIN_CERT_TYPE_PKCS_SIGNED_DATA WIN_CERT_TYPE = 0x0002
	WIN_CERT_TYPE_TS_STACK_SIGNED  WIN_CERT_TYPE = 0x0004
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.